Analyzing...
|
File Name:   AnyDesk.exe
SHA1:   6ccdae5524dac0ccd033985557775df0b7735157
MD5:   c2a98ef73f583a46cc861e01b1a86555
First Seen Date:  2017-05-19 00:42:51.947248 ( )
Number of Clients Seen:   12
Last Analysis Date:  2017-05-30 16:17:10.156492 ( )
Human Expert Analysis Result:   No human expert analysis verdict given to this sample yet.
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2017-05-30 16:17:10.156492 | Clean | |
Static Analysis Overall Verdict | 2017-05-30 16:17:10.156492 | No Threat Found | help |
Precise Detectors Overall Verdict | 2017-05-30 16:17:10.156492 | No Match | help |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Packer detection on signature database | Unknown | help |
Based on the sections entropy check! file is possibly packed | Suspicious | |
Timestamp value suspicious | Clean | |
Header Checksum is zero! | Suspicious | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Suspicious | |
TLS callback functions array detected | Clean |
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Suspicious Behaviors | |
---|---|
Injects code to another process | |
Creates a child process | |
Writes to address space of another process | |
Uses a function clandestinely | |
Reads memory of another process | |
Opens a file in a system directory | |
Has no visible windows |
Behavioral Information
ADVAPI32.dll
ntmarta.dll
kernel32.dll
API-MS-Win-Security-LSALookup-L1-1-0.dll
OLEAUT32.dll
SHLWAPI.dll
ole32.dll
C:\Windows\system32\EhStorShell.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
propsys.dll
C:\Windows\system32\ntshrui.dll
srvcli.dll
cscapi.dll
slc.dll
c:\windows\system32\imageres.dll
WindowsCodecs.dll
SspiCli.dll
dwmapi.dll
UxTheme.dll
IMM32.dll
USER32.dll
ntshrui.dll
CRYPTBASE.dll
SXS.DLL
OLEAUT32
netutils.dll
ProcessorNameString
Plane16
Plane14
Plane15
Plane12
Plane13
Plane10
Plane11
Plane4
Plane5
Plane6
Disable
Plane7
Plane1
Plane2
Plane3
DataFilePath
Plane8
Plane9
{"dwCreationDisposition": "4", "path": "C:\\Users\\win7\\AppData\\Roaming\\AnyDesk\\service.conf", "dwDesiredAccess": "80000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\AnyDesk.exe", "dwDesiredAccess": "80", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\75fdacd8330bac18.customDestinations-ms", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\SysWOW64\\ieframe.dll", "dwDesiredAccess": "80000000", "dwShareMode": "5"}
{"dwCreationDisposition": "2", "path": "C:\\Users\\win7\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\PBR8M3D8J5J020PYD741.temp", "dwDesiredAccess": "c0000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "dwDesiredAccess": "80000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\Temp\\win7.bmp", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\SysWOW64\\stdole2.tlb", "dwDesiredAccess": "80000000", "dwShareMode": "5"}
{"dwCreationDisposition": "4", "path": "C:\\Users\\win7\\AppData\\Roaming\\AnyDesk\\ad.trace", "dwDesiredAccess": "c0000000", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\system32\\rsaenh.dll", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "4", "path": "C:\\Users\\win7\\AppData\\Roaming\\AnyDesk\\user.conf", "dwDesiredAccess": "c0000000", "dwShareMode": "3"}
{"dwCreationDisposition": "4", "path": "C:\\Users\\win7\\AppData\\Roaming\\AnyDesk\\system.conf", "dwDesiredAccess": "80000000", "dwShareMode": "3"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\SysWOW64\\shell32.dll", "dwDesiredAccess": "80000000", "dwShareMode": "5"}
{"dwCreationDisposition": "3", "path": "C:\\AnyDesk.exe", "dwDesiredAccess": "80", "dwShareMode": "0"}
{"dwCreationDisposition": "3", "path": "C:\\Windows\\Fonts\\staticcache.dat", "dwDesiredAccess": "80000000", "dwShareMode": "5"}
{"dwCreationDisposition": "3", "path": "\\??\\C:\\Windows\\system32\\ntshrui.dll", "dwDesiredAccess": "80", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\", "dwDesiredAccess": "100081", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "\\??\\C:\\Windows\\system32\\EhStorShell.dll", "dwDesiredAccess": "80", "dwShareMode": "7"}
{"dwCreationDisposition": "3", "path": "C:\\Users\\win7\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000008.db", "dwDesiredAccess": "80000000", "dwShareMode": "1"}
{"dwCreationDisposition": "3", "path": "\\\\.\\PIPE\\srvsvc", "dwDesiredAccess": "c0000000", "dwShareMode": "3"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PDH"}
{"hKey": "23c", "phkResult": "0", "lpSubKey": "Segoe UI"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink"}
{"hKey": "238", "phkResult": "0", "lpSubKey": "Segoe UI"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0"}
{"hKey": "80000002", "phkResult": "0", "lpSubKey": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback"}
<NULL>
Local\ad_trace_mtx
Local\ad_system_mtx
Local\ad_mailbox_3056_2886095820_0_mtx
Local\ad_mailbox_3056_2886095820_1_mtx
Session\1\ad_connect_queue_1424_2907814570_mtx
"C:\AnyDesk.exe" --local-service
C:\AnyDesk.exe
C:\Windows\system32\EhStorShell.dll
Precise Detectors Analysis Results
Detector Name | Date | Verdict | Reason | |
---|---|---|---|---|
Uninstaller FP Detector | 2017-05-30 16:17:00.367835 | No Match | help | No match. |
Yara Rule Static Malware Detector | 2017-05-30 16:17:00.364192 | No Match | help | No match. |
Static Precise PUA Detector 1 | 2017-05-30 16:17:00.367745 | No Match | help | NotDetected |
Static Precise Virus Detector | 2017-05-30 16:17:00.367559 | No Match | help | NotDetected |
Static Precise Trojan Detector | 2017-05-30 16:17:00.374597 | No Match | help | NotDetected |
Malicious Url Detector | 2017-05-30 16:17:10.135442 | No Match | help | No match. |
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|